/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2016-10-08
   Identifier: Malware - October 2016
*/

/* Rule Set ----------------------------------------------------------------- */

rule Unspecified_Malware_Oct16_A {
   meta:
      description = "Detects an unspecififed malware - October 2016"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      score = 80
      hash1 = "d112a7e21902287e4a37112bf17d7c73a7b206e7bc81780fd87991c1519f38c8"
   strings:
      $x1 = "%s\\system32\\%s.dll" fullword ascii
      $x2 = "%SystemRoot%\\System32\\svch%s -k nets" fullword ascii
      $x3 = "\\\\.\\pipe\\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A" fullword ascii

      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" fullword ascii
      $s2 = "boottemp.exe" fullword ascii
      $s3 = "at \\\\%s %d:%d C:\\%s.exe" fullword ascii
      $s4 = "cryptcom.dll" fullword ascii
      $s5 = "Wininet.dll" fullword ascii
      $s6 = "\\\\%s\\%s\\%s.exe" fullword ascii
      $s7 = "%s%d.exe" fullword ascii
      $s8 = "booter.exe" fullword ascii
      $s9 = "\\\\%s\\pipe%s" fullword ascii
      $s10 = "C:\\DelInfo.bin" fullword ascii

      $op0 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } /* Opcode */
      $op1 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } /* Opcode */
      $op2 = { ee 11 74 cf 73 0b 91 c4 c9 57 b2 d9 36 86 a5 b4 } /* Opcode */
   condition:
      /* File Detection */
      ( uint16(0) == 0x5a4d and filesize < 1000KB and (
         2 of ($x*) or 3 of ($s*) or all of ($op*)
      ) )
      /* In Memory */
      or ( 6 of them )
}

rule Sality_Malware_Oct16 {
   meta:
      description = "Detects an unspecififed malware - October 2016"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      score = 80
      hash1 = "8eaff5e1d4b55dd6e25f007549271da10afd1fa25064d7105de0ca2735487aad"
   strings:
      $s1 = "Hello world!" fullword wide
      $s2 = "[LordPE]" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

rule Unspecified_Malware_Oct16_C {
   meta:
      description = "Detects an unspecififed malware - October 2016"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      score = 80
      hash1 = "a451157f75627b2fef3d663946c94ef7dacb58f08b31d0ec4c0a542a1c4e6205"
   strings:
      $s1 = "dUSER32.DLL" fullword wide
      $s2 = "output.dll" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 5000KB and all of them )
}

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2016-10-08
   Identifier: Malware October 2016
*/

/* Rule Set ----------------------------------------------------------------- */

rule Bladabindi_Malware_B64 {
   meta:
      description = "Detects Bladabindi Malware using Base64 encoded strings"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      hash1 = "dda668b0792b7679979e61f2038cf9a8ec39415cc161be00d2c8301e7d48768d"
   strings:
      $s1 = "XHN5c3RlbTMyXA==" fullword ascii /* base64 encoded string '\system32\' */
      $s2 = "RXhlY3V0ZSBFUlJPUg==" fullword ascii /* base64 encoded string 'Execute ERROR' */
      $s3 = "dHJvamFuLmV4ZQ==" fullword ascii /* base64 encoded string 'trojan.exe' */
      $s4 = "VXBkYXRlIEVSUk9S" fullword ascii /* base64 encoded string 'Update ERROR' */
      $s5 = "RG93bmxvYWQgRVJST1I=" fullword ascii /* base64 encoded string 'Download ERROR' */
   condition:
      uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
}

rule Dorkbot_Injector_Malware {
   meta:
      description = "Detects Darkbot Injector"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      hash1 = "bc3c5ac7180c8ac21d6908d747aa6122154d2bb51bb99ff0e0b1c65088d275dc"
   strings:
      $s1 = "Enter an integer, a real number, a character and a string : " fullword ascii
      $s2 = "ready to finish" fullword ascii
      $s3 = "EYEnpw" fullword ascii
      $s4 = "somewhere i belong" fullword ascii
      $s5 = "Not all fields were assigned" fullword ascii
      $s6 = "take down" fullword ascii
      $s7 = "real number = %f" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 500KB and 6 of them )
}

rule Unspecified_Malware_Oct16_D {
   meta:
      description = "Detects unspecified malware - October 2016"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      hash1 = "cd5f3bc0176a6803093ffdea6a7442c416e0d2945b6903063d17f5bb8d17519d"
   strings:
      $s1 = "C:\\file.exe" fullword wide
      $s2 = "new.exe" fullword wide
      $s3 = "passwordIterations" fullword ascii

      $op0 = { 10 00 12 00 1a 00 05 00 01 00 01 00 01 00 10 00 } /* Opcode */
      $op1 = { 41 32 00 36 00 62 00 34 00 32 00 65 00 37 00 62 } /* Opcode */
      $op2 = { 3c 4d 6f 64 75 6c 65 3e 00 6e 65 77 2e 65 78 65 } /* Opcode */
   condition:
      uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) or all of ($op*) )
}

rule Unspecified_Malware_Oct16_E {
   meta:
      description = "Detects unspecified Malware - October 2016"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2016-10-08"
      hash1 = "28093385130b61f22920c0ce6e56de1f2cd8eef589bebe2af31f36f51f2b4d01"
   strings:
      $s1 = "P3pORt" fullword ascii
      $s2 = "msdownld.tmp" fullword ascii
      $s3 = "TMP4351$.TMP" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
